Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
View the settings you can configure in profiles for Firewall policy in the endpoint security node of Intune as part of an Endpoint security policy.
Applies to:
- macOS 
- Windows - Important - On October 14, 2025, Windows 10 reached end of support and won't receive quality and feature updates. Windows 10 is an allowed version in Intune. Devices running this version can still enroll in Intune and use eligible features, but functionality won't be guaranteed and can vary. 
Note
Beginning on April 5, 2022, the Firewall profiles for the Windows 10 and later platform were replaced by the Windows platform and new instances of those same profiles. Profiles created after that date use a new settings format as found in the Settings Catalog. With this change you can no longer create new versions of the old profile and they are no longer being developed. Although you can no longer create new instances of the older profile, you can continue to edit and use instances of it that you previously created.
For profiles that use the new settings format, Intune no longer maintains a list of each setting by name. Instead, the name of each setting, its configuration options, and its explanatory text you see in the Microsoft Intune admin center are taken directly from the settings authoritative content. That content can provide more information about the use of the setting in its proper context. When viewing a settings information text, you can use its Learn more link to open that content.
The settings details for Windows profiles in this article apply to those deprecated profiles.
Supported platforms and profiles:
- macOS: - Profile: macOS firewall
 
- Windows: - Profile: Windows Firewall
 
macOS firewall profile
Firewall
The following settings are configured as Endpoint Security policy for macOS Firewalls
- Enable Firewall - Not configured (default)
- Yes - Enable the firewall.
 - When set to Yes, you can configure the following settings. - Block all incoming connections - Not configured (default)
- Yes - Block all incoming connections except connections that are required for basic Internet services such as DHCP, Bonjour, and IPSec. This blocks all sharing services.
 
- Enable stealth mode - Not configured (default)
- Yes - Prevent the computer from responding to probing requests. The computer still answers incoming requests for authorized apps.
 
- Firewall apps Expand the dropdown and then select Add to then specify apps and rules for incoming connections for the app. - Allow incoming connections - Not configured
- Block
- Allow
 
- Bundle ID - The ID identifies the app. For example: com.apple.app 
 
 
Windows Firewall profile
Windows Firewall
The following settings are configured as Endpoint Security policy for Windows Firewalls.
- Stateful File Transfer Protocol (FTP) 
 CSP: MdmStore/Global/DisableStatefulFtp- Not configured (default)
- Allow - The firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections.
- Disabled - Stateful FTP is disabled.
 
- Number of seconds a security association can be idle before it's deleted 
 CSP: MdmStore/Global/SaIdleTime- Specify a time in seconds between 300 and 3600, for how long the security associations are kept after network traffic isn't seen. - If you don't specify any value, the system deletes a security association after it's been idle for 300 seconds. 
- Preshared key encoding 
 CSP: MdmStore/Global/PresharedKeyEncoding- If you don't require UTF-8, preshared keys are initially encoded using UTF-8. After that, device users can choose another encoding method. - Not configured (default)
- None
- UTF8
 
- No exemptions for Firewall IP sec - Not configured (default) - When not configured, you'll have access to the following IP sec exemption settings that you can configure individually. 
- Yes - Turn off all Firewall IP sec exemptions. The following settings aren't available to configure. 
- Firewall IP sec exemptions allow neighbor discovery 
 CSP: MdmStore/Global/IPsecExempt- Not configured (default)
- Yes - Firewall IPsec exemptions allow neighbor discovery.
 
- Firewall IP sec exemptions allow ICMP 
 CSP: MdmStore/Global/IPsecExempt- Not configured (default)
- Yes - Firewall IPsec exemptions allow ICMP.
 
- Firewall IP sec exemptions allow router discovery 
 CSP: MdmStore/Global/IPsecExempt- Not configured (default)
- Yes - Firewall IPsec exemptions allow router discovery.
 
- Firewall IP sec exemptions allow DHCP 
 CSP: MdmStore/Global/IPsecExempt- Not configured (default)
- Yes - Firewall IP sec exemptions allow DHCP
 
 
- Certificate revocation list (CRL) verification 
 CSP: MdmStore/Global/CRLcheck- Specify how certificate revocation list (CRL) verification is enforced. - Not configured (default) - Use the client default, which is to disable CRL verification.
- None
- Attempt
- Require
 
- Require keying modules to only ignore the authentication suites they don't support 
 CSP: MdmStore/Global/OpportunisticallyMatchAuthSetPerKM- Not configured (default)
- Disabled
- Enabled - Keying modules ignore unsupported authentication suites.
 
- Packet queuing 
 CSP: MdmStore/Global/EnablePacketQueue- Specify how to enable scaling for the software on the receive side for the encrypted receive and clear text forward for the IPsec tunnel gateway scenario. This ensures the packet order is preserved. - Not configured (default) - Packet queuing is returned to the client default, which is disabled.
- Disabled
- Queue Inbound
- Queue Outbound
- Queue Both
 
- Turn on Windows Firewall for domain networks 
 CSP: EnableFirewall- Not configured (default) - The client returns to its default, which is to enable the firewall.
- Yes - The Windows Firewall for the network type of domain is turned on and enforced. You also gain access to additional settings for this network.
- No - Disable the firewall.
 - Additional settings for this network, when set to Yes: - Block stealth mode 
 CSP: DisableStealthMode- By default, stealth mode is enabled on devices. It helps prevent malicious users from discovering information about network devices and the services they run. Disabling stealth mode can make devices vulnerable to attack. - Not configured (default)
- Yes
- No
 
- Enable shielded mode 
 CSP: Shielded- Not configured (default) - Use the client default, which is to disable shielded mode.
- Yes - The machine is put into shielded mode, which isolates it from the network. All traffic is blocked.
- No
 
- Block unicast responses to multicast broadcasts CSP: DisableUnicastResponsesToMulticastBroadcast - Not configured (default) - The setting returns to the client default, which is to allow unicast responses.
- Yes - Unicast responses to multicast broadcasts are blocked.
- No - Enforce the client default, which is to allow unicast responses.
 
- Disable inbound notifications 
 CSP DisableInboundNotifications- Not configured (default) - The setting returns to the client default, which is to allow the user notification.
- Yes - User notification is suppressed when an application is blocked by an inbound rule.
- No - User notifications are allowed.
 
- Block outbound connections - This setting applies to Windows version 1809 and later. CSP: DefaultOutboundAction - This rule is evaluated at the very end of the rule list. - Not configured (default) - The setting returns to the client default, which is to allow connections.
- Yes - All outbound connections that don't match an outbound rule are blocked.
- No - All connections that don't match an outbound rule are allowed.
 
- Block inbound connections 
 CSP: DefaultInboundAction- This rule is evaluated at the very end of the rule list. - Not configured (default) - The setting returns to the client default, which is to block connections.
- Yes - All inbound connections that don't match an inbound rule are blocked.
- No - All connections that don't match an inbound rule are allowed.
 
- Ignore authorized application firewall rules 
 CSP: AuthAppsAllowUserPrefMerge- Not configured (default) - The setting returns to the client default, which is to honor the local rules.
- Yes - Authorized application firewall rules in the local store are ignored.
- No - Authorized application firewall rules are honored.
 
- Ignore global port firewall rules 
 CSP: GlobalPortsAllowUserPrefMerge- Not configured (default) - The setting returns to the client default, which is to honor the local rules.
- Yes - Global port firewall rules in the local store are ignored.
- No - The global port firewall rules are honored.
 
- Ignore all local firewall rules 
 CSP: IPsecExempt- Not configured (default) - The setting returns to the client default, which is to honor the local rules.
- Yes - All firewall rules in the local store are ignored.
- No - The firewall rules in the local store are honored.
 
- Ignore connection security rules 
 CSP: AllowLocalIpsecPolicyMerge- Not configured (default) - The setting returns to the client default, which is to honor the local rules.
- Yes - IPsec firewall rules in the local store are ignored.
- No - IPsec firewall rules in the local store are honored.
 
 
- Turn on Windows Firewall for private networks 
 CSP: EnableFirewall- Not configured (default) - The client returns to its default, which is to enable the firewall.
- Yes - The Windows Firewall for the network type of private is turned on and enforced. You also gain access to additional settings for this network.
- No - Disable the firewall.
 - Additional settings for this network, when set to Yes: - Block stealth mode 
 CSP: DisableStealthMode- By default, stealth mode is enabled on devices. It helps prevent malicious users from discovering information about network devices and the services they run. Disabling stealth mode can make devices vulnerable to attack. - Not configured (default)
- Yes
- No
 
- Enable shielded mode 
 CSP: Shielded- Not configured (default) - Use the client default, which is to disable shielded mode.
- Yes - The machine is put into shielded mode, which isolates it from the network. All traffic is blocked.
- No
 
- Block unicast responses to multicast broadcasts CSP: DisableUnicastResponsesToMulticastBroadcast - Not configured (default) - The setting returns to the client default, which is to allow unicast responses.
- Yes - Unicast responses to multicast broadcasts are blocked.
- No - Enforce the client default, which is to allow unicast responses.
 
- Disable inbound notifications 
 CSP DisableInboundNotifications- Not configured (default) - The setting returns to the client default, which is to allow the user notification.
- Yes - User notification is suppressed when an application is blocked by an inbound rule.
- No - User notifications are allowed.
 
- Block outbound connections - This setting applies to Windows version 1809 and later. CSP: DefaultOutboundAction - This rule is evaluated at the very end of the rule list. - Not configured (default) - The setting returns to the client default, which is to allow connections.
- Yes - All outbound connections that don't match an outbound rule are blocked.
- No - All connections that don't match an outbound rule are allowed.
 
- Block inbound connections 
 CSP: DefaultInboundAction- This rule is evaluated at the very end of the rule list. - Not configured (default) - The setting returns to the client default, which is to block connections.
- Yes - All inbound connections that don't match an inbound rule are blocked.
- No - All connections that don't match an inbound rule are allowed.
 
- Ignore authorized application firewall rules 
 CSP: AuthAppsAllowUserPrefMerge- Not configured (default) - The setting returns to the client default, which is to honor the local rules.
- Yes - Authorized application firewall rules in the local store are ignored.
- No - Authorized application firewall rules are honored.
 
- Ignore global port firewall rules 
 CSP: GlobalPortsAllowUserPrefMerge- Not configured (default) - The setting returns to the client default, which is to honor the local rules.
- Yes - Global port firewall rules in the local store are ignored.
- No - The global port firewall rules are honored.
 
- Ignore all local firewall rules 
 CSP: IPsecExempt- Not configured (default) - The setting returns to the client default, which is to honor the local rules.
- Yes - All firewall rules in the local store are ignored.
- No - The firewall rules in the local store are honored.
 
- Ignore connection security rules 
 CSP: AllowLocalIpsecPolicyMerge- Not configured (default) - The setting returns to the client default, which is to honor the local rules.
- Yes - IPsec firewall rules in the local store are ignored.
- No - IPsec firewall rules in the local store are honored.
 
 
- Turn on Windows Firewall for public networks 
 CSP: EnableFirewall- Not configured (default) - The client returns to its default, which is to enable the firewall.
- Yes - The Windows Firewall for the network type of public is turned on and enforced. You also gain access to additional settings for this network.
- No - Disable the firewall.
 - Additional settings for this network, when set to Yes: - Block stealth mode 
 CSP: DisableStealthMode- By default, stealth mode is enabled on devices. It helps prevent malicious users from discovering information about network devices and the services they run. Disabling stealth mode can make devices vulnerable to attack. - Not configured (default)
- Yes
- No
 
- Enable shielded mode 
 CSP: Shielded- Not configured (default) - Use the client default, which is to disable shielded mode.
- Yes - The machine is put into shielded mode, which isolates it from the network. All traffic is blocked.
- No
 
- Block unicast responses to multicast broadcasts CSP: DisableUnicastResponsesToMulticastBroadcast - Not configured (default) - The setting returns to the client default, which is to allow unicast responses.
- Yes - Unicast responses to multicast broadcasts are blocked.
- No - Enforce the client default, which is to allow unicast responses.
 
- Disable inbound notifications 
 CSP DisableInboundNotifications- Not configured (default) - The setting returns to the client default, which is to allow the user notification.
- Yes - User notification is suppressed when an application is blocked by an inbound rule.
- No - User notifications are allowed.
 
- Block outbound connections - This setting applies to Windows version 1809 and later. CSP: DefaultOutboundAction - This rule is evaluated at the very end of the rule list. - Not configured (default) - The setting returns to the client default, which is to allow connections.
- Yes - All outbound connections that don't match an outbound rule are blocked.
- No - All connections that don't match an outbound rule are allowed.
 
- Block inbound connections 
 CSP: DefaultInboundAction- This rule is evaluated at the very end of the rule list. - Not configured (default) - The setting returns to the client default, which is to block connections.
- Yes - All inbound connections that don't match an inbound rule are blocked.
- No - All connections that don't match an inbound rule are allowed.
 
- Ignore authorized application firewall rules 
 CSP: AuthAppsAllowUserPrefMerge- Not configured (default) - The setting returns to the client default, which is to honor the local rules.
- Yes - Authorized application firewall rules in the local store are ignored.
- No - Authorized application firewall rules are honored.
 
- Ignore global port firewall rules 
 CSP: GlobalPortsAllowUserPrefMerge- Not configured (default) - The setting returns to the client default, which is to honor the local rules.
- Yes - Global port firewall rules in the local store are ignored.
- No - The global port firewall rules are honored.
 
- Ignore all local firewall rules 
 CSP: IPsecExempt- Not configured (default) - The setting returns to the client default, which is to honor the local rules.
- Yes - All firewall rules in the local store are ignored.
- No - The firewall rules in the local store are honored.
 
- Ignore connection security rules 
 CSP: AllowLocalIpsecPolicyMerge- Not configured (default) - The setting returns to the client default, which is to honor the local rules.
- Yes - IPsec firewall rules in the local store are ignored.
- No - IPsec firewall rules in the local store are honored.
 
 
Windows Firewall rules
This profile is in Preview.
The following settings are configured as Endpoint Security policy for Windows Firewalls.
Windows Firewall Rule
- Name 
 Specify a friendly name for your rule. This name will appear in the list of rules to help you identify it.
- Description 
 Provide a description of the rule.
- Direction - Not configured (default) - This rule defaults to outbound traffic.
- Out - This rule applies to outbound traffic.
- In - This rule applies to inbound traffic.
 
- Action - Not configured (default) - The rule defaults to allow traffic.
- Blocked - Traffic is blocked in the Direction you've configured.
- Allowed - Traffic is allowed in the Direction you've configured.
 
- Network type 
 Specify the network type to which the rule belongs. You can choose one or more of the following. If you don't select an option, the rule applies to all network types.- Domain
- Private
- Public
- Not configured
 
Application settings
Applications targeted with this rule:
- Package family name 
 Get-AppxPackage- Package family names can be retrieved by running the Get-AppxPackage command from PowerShell. 
- File path 
 CSP: FirewallRules/FirewallRuleName/App/FilePath- To specify the file path of an app, enter the apps location on the client device. For example: - C:\Windows\System\Notepad.exe
- Service name 
 FirewallRules/FirewallRuleName/App/ServiceName- Use a Windows service short name when a service, not an application, is sending or receiving traffic. Service short names are retrieved by running the - Get-Servicecommand from PowerShell.
Port and protocol settings
Specify the local and remote ports to which this rule applies:
- Protocol 
 CSP: FirewallRules/FirewallRuleName/Protocol- Specify the protocol for this port rule. - Transport layer protocols like TCP(6) and UDP(17) allow you to specify ports or port ranges.
- For custom protocols, enter a number between 0 and 255 that represents the IP protocol.
- When nothing is specified, the rule defaults to Any.
 
- Interface types 
 Specify the interface types to which the rule belongs. You can choose one or more of the following. If you don't select an option, the rule applies to all interface types:- Remote access
- Wireless
- Local area network
- Not configured
- Mobile Broadband - This option replaces use of the previous entry for Mobile Broadband, which is deprecated and no longer supported.
- [Not Supported] Mobile Broadband - Do not use this option, which is the original Mobile Broadband option. This option no longer functions correctly. Replace use of this option with the newer version of Mobile Broadband.
 
- Authorized users 
 FirewallRules/FirewallRuleName/LocalUserAuthorizationList- Specify a list of authorized local users for this rule. A list of authorized users can't be specified if Service name in this policy is set as a Windows service. If no authorized user is specified, the default is all users. 
IP address settings
Specifies the local and remote addresses to which this rule applies:
- Any local address 
 Not configured (default) - Use the following setting, Local address ranges* to configure a range of addresses to support.- Yes - Support any local address and don't configure an address range.
 
- Local address ranges 
 CSP: FirewallRules/FirewallRuleName/LocalAddressRanges- Manage local address ranges for this rule. You can: - Add one or more addresses as a comma-separated list of local addresses that are covered by the rule.
- Import a .csv file containing a list of local IP addresses ranges using the 'LocalAddressRanges' header.
- Export your current list of local address ranges as a .csv file.
 - Valid entries (tokens) include the following options: - An asterisk - An asterisk (*) indicates any local address. If present, the asterisk must be the only token included.
- A subnet - Specify subnets by using the subnet mask or network prefix notation. If a subnet mask or network prefix isn't specified, the subnet mask defaults to 255.255.255.255.
- A valid IPv6 address
- An IPv4 address range - IPv4 ranges must be in the format of start address - end address with no spaces included, where the start address is less than the end address.
- An IPv6 address range - IPv6 ranges must be in the format of start address - end address with no spaces included, where the start address is less than the end address.
 - When no value is specified, this setting defaults to use Any address. 
- Any remote address 
 Not configured (default) - Use the following setting, Remote address ranges* to configure a range of addresses to support.- Yes - Support any remote address and don't configure an address range.
 
- Remote address ranges 
 CSP: FirewallRules/FirewallRuleName/RemoteAddressRanges- Manage remote address ranges for this rule. You can: - Add one or more addresses as a comma-separated list of remote addresses that are covered by the rule.
- Import a .csv file containing a list of remote IP addresses ranges using the 'RemoteAddressRanges' header.
- Export your current list of remote address ranges as a .csv file.
 - Valid entries (tokens) include the following and aren't case-sensitive: - An asterisk - An asterisk (*) indicates any remote address. If present, the asterisk must be the only token included.
- Defaultgateway
- DHCP
- DNS
- WINS
- Intranet - Supported on devices that run Windows 1809 or later.
- RmtIntranet - Supported on devices that run Windows 1809 or later.
- Ply2Renders - Supported on devices that run Windows 1809 or later.
- LocalSubnet - Indicates any local address on the local subnet.
- A subnet - Specify subnets by using the subnet mask or network prefix notation. If a subnet mask or a network prefix isn't specified, the subnet mask defaults to 255.255.255.255.
- A valid IPv6 address
- An IPv4 address range - IPv4 ranges must be in the format of start address - end address with no spaces included, where the start address is less than the end address.
- An IPv6 address range - IPv6 ranges must be in the format of start address - end address with no spaces included, where the start address is less than the end address.
 - When no value is specified, this setting defaults to use Any address.